31 Changes in MySQL Enterprise 5.1.46sp1 [QSP] (2010-06-23)

This is a Service Pack release of the MySQL Enterprise Server 5.1.

Important

If you intend to use the plugin version of
InnoDB, we recommend that you use
MySQL 5.1.48 or later instead of 5.1.46sp1. This is because
5.1.46sp1 contains the first production-ready version and the
later version has fixes for some of the bugs found during more
widespread production use.

Bugs Fixed

Security Fix:
The server failed to check the table name argument of a
COM_FIELD_LIST command packet for validity
and compliance to acceptable table name standards. This could be
exploited to bypass almost all forms of checks for privileges
and table-level grants by providing a specially crafted table
name argument to COM_FIELD_LIST.

In MySQL 5.0 and above, this permitted an authenticated user
with SELECT privileges on one
table to obtain the field definitions of any table in all other
databases and potentially of other MySQL instances accessible
from the server's file system.

Additionally, for MySQL version 5.1 and above, an authenticated
user with DELETE or
SELECT privileges on one table
could delete or read content from any other table in all
databases on this server, and potentially of other MySQL
instances accessible from the server's file system.
(Bug #53371, CVE-2010-1848)

Security Fix:
The server was susceptible to a buffer-overflow attack due to a
failure to perform bounds checking on the table name argument of
a COM_FIELD_LIST command packet. By sending
long data for the table name, a buffer is overflown, which could
be exploited by an authenticated user to inject malicious code.
(Bug #53237, CVE-2010-1850)

Security Fix:
The server could be tricked into reading packets indefinitely if
it received a packet larger than the maximum size of one packet.
(Bug #50974, CVE-2010-1849)

InnoDB:InnoDB attempted to choose off-page
storage without ensuring that there was an “off-page
storage” flag in the record header. To correct this, in
DYNAMIC and COMPRESSED
formats, InnoDB stores locally any
non-BLOB columns having a maximum
length not exceeding 256 bytes. This is because there is no room
for the “external storage” flag when the maximum
length is 255 bytes or less. This restriction trivially holds in
REDUNDANT and COMPACT
formats, because there InnoDB
always stores locally columns having a length up to
local_len = 788 bytes.
(Bug #52745)